Free Hacking Lessons from Google

Google has created a Web application full of exploitable bugs to help webmasters better understand the most common type of Web attacks and learn how to prevent them. Codenamed Jarlsberg, the project is part of the Google Code University's "Web Application Exploits and Defenses" codelab.

The Jarlsberg application, named after the eponymous cheese brand famous for its holes, is vulnerable to several types of cross-site attack conditions, including cross-site scripting (XSS), cross-site request forgery (XSRF) and cross-site script inclusion (XSSI). The are also bugs that facilitate client-state manipulation, path traversal, information disclosure, denial of service or remote code execution.

"Jarlsberg was written specifically to teach about security. More specifically, it is a tool to show how to exploit web applications and, in turn, protect against those exploits when developing software. […] The codelab walks participants through a number of common web application vulnerability types and demonstrates how an attacker could exploit such vulnerabilities," explains Bruce Leban, one of the three people behind the project and a member of Google's Software Engineering Team.

The laboratory is structured in five parts and users can attend it by accessing http://jarlsberg.appspot.com and completing the tasks described on every page. This can also be used as a training tool for development teams inside companies. For such scenarios, an instructor's guide (PDF) proposing various practical exercises is also available.

The Jarlsberg code is available under a Creative Commons License, while the instances being attacked during the course run within their own sandbox and can easily be reset to their initial state if something gets seriously broken. According to Leban, the whole project is guided by the maxim "given enough eyeballs, all bugs are shallow," however, some people could argue that providing free hacking lessons to virtually anyone might not be a great idea, especially given how widespread these types of vulnerabilities are on the Web.

Nevertheless, Google is not the first to think of such a practical teaching tool. The Open Web Application Security Project (OWASP) develops a similar insecure Web application dubbed WebGoat. The application contains a variety of lessons and is coded in Java, making it cross-platform. Compared to Jarlsberg, WebGoat is a mature project and includes information on a wider array of vulnerabilities, including various types of SQL injection.